Authentication Bypass in SCALANCE X Switches Families

Plan Patch8.8SSA-443566Jan 14, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

An authentication bypass vulnerability exists in SCALANCE X switches that allows an unauthenticated attacker to violate access-control rules by sending a GET request to a specific URL on the web configuration interface. An attacker with network access could exploit this to obtain sensitive configuration information or modify device settings. Siemens has released firmware updates for all affected products.

What this means

What could happen

An attacker with network access to a vulnerable SCALANCE X switch could bypass authentication on the web interface, allowing them to read sensitive configuration data or modify switch settings without credentials. This could disrupt communications within your industrial network and allow unauthorized changes to network routing or device parameters.

Who's at risk

Water and electric utilities operating SCALANCE X industrial switches are affected. This includes companies using SCALANCE X302, X304, X306, X307, X308, X310, X320, X408, XR324, and X204RNA models for network connectivity in critical control system infrastructure. Any organization with these switches in their industrial network control systems should be concerned.

How it could be exploited

An attacker sends a crafted GET request to a specific URL on the switch's web configuration interface. Because the authentication check is bypassed, the request succeeds even without login credentials. The attacker can then retrieve configuration files or issue commands to reconfigure the switch.

Prerequisites

Network access to the web management interface (HTTP/HTTPS port, typically 80 or 443)
No credentials required

Remotely exploitableNo authentication requiredLow complexity attackAffects network infrastructure devices that support critical operations

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (56)

56 with fix

ProductAffected VersionsFix Status

SCALANCE X302-7 EEC (24V, coated)< V4.1.34.1.3

SCALANCE X302-7 EEC (24V)< V4.1.34.1.3

SCALANCE X302-7 EEC (2x 230V, coated)< V4.1.34.1.3

SCALANCE X302-7 EEC (2x 230V)< V4.1.34.1.3

SCALANCE X302-7 EEC (2x 24V, coated)< V4.1.34.1.3

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the web management interface of SCALANCE X switches using firewall rules; limit access to trusted engineering workstations only

HARDENINGVerify that all SCALANCE X switches in your network are running supported firmware versions and document the current version of each device

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X204RNA switches to firmware version 3.2.7 or later

HOTFIXUpdate all other affected SCALANCE X switches (X302, X304, X306, X307, X308, X310, X320, X408, XR324) to firmware version 4.1.3 or later

CVEs (1)

CVE-2019-13933

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f17b37a9-6a00-4882-8191-abfe2fd24cbc